On Thursday, September 22, 2022, the first set of requirements brought on by Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, comes into force in Québec. The remaining requirements will come into force in increments, in September 2023 and in September 2024.
Bill 64 makes significant amendments to Québec’s private sector law, the Act respecting the protection of personal information in the private sector which applies to Québec-based private sector entities as well as out-of-province companies doing business involving personal information of Québec residents. Additionally, Québec’s privacy regulator, the Commission d’accès à l’information (CAI), has previously assumed jurisdiction over federally-regulated businesses as well (see, D’Allaire c. Transport Robert (Québec) 1973 ltée; 2020 QCCAI 152). Accordingly, federally-regulated businesses should also be aware of changes brought on by Bill 64 with respect to the collection, use, or disclosure of personal information.
Under the amended Act, administrative monetary penalties may be imposed on companies that contravene certain provisions of the law of up to CA$10 million or 2% of worldwide turnover of the preceding year, and fines of up to CA$25 million or 4% of worldwide turnover of the preceding year for several new offences created by Bill 64. Furthermore, the Bill also provides for a private right of action for certain acts and omissions.
Key changes coming into force on September 22, 2022
- Privacy officers
Starting September 22, 2022, by default, the person with the highest authority within a company (e.g., the CEO) will be considered as the “person in charge of the protection of personal information,” a new required role under the amended Act. Companies may delegate this role (essentially a privacy officer) to a member of personnel in the organization or to an external third party, provided the delegation is made in writing.
No specific qualifications are required for this role, nor does this person have to be located in Québec (or Canada). However, the person should be familiar with the requirements of the Act.
Businesses are also required to publish on their website the “title and contact information” of the person in charge of the protection of personal information. The individual’s name is not required.
- Ensure the appropriate written delegation has been prepared and authorized.
- Such delegation may be short and straightforward, but consider including a description of the activities that are specifically being delegated, and that are described in the amended Act as being the responsibility of the privacy officer:
- Approving governance policies and practices regarding the protection of personal information.
- Participating in the conduct of privacy impact assessments (PIAs) and suggesting measures to ensure the protection of personal information involved in the project.
- Recording any communication to another organization or public body that may mitigate the injury caused by a confidentiality incident.
- Advising the organization in the assessment of the injury caused by a confidentiality incident.
- Ensure websites and other privacy-materials contain the title and contact information of the privacy officer.
2. Mandatory breach reporting
The provisions related to the management of “confidentiality incidents” also come into force on September 22, 2022. In particular, if a confidentiality incident presents a “risk of serious injury,” an organization will be required to “promptly” notify the CAI and affected individuals. Companies have the discretion to also notify any other person or body that could reduce the risk.
Further, according to the proposed Regulation respecting Confidentiality incidents, companies will be required to maintain records of confidentiality incidents for five years after the date or time period when the company became aware of the incident.
- Update existing incident response plans to include the new Québec requirements (including noting the differing requirements among the federal, Alberta and Québec regimes).
- Understand the scope of the term “confidentiality incident” and how it is potentially broader than the federal “breach of security safeguards” provisions.
- Understand how to assess “risk of serious injury” and the factors required to be considered (i.e., the sensitivity of the information affected, the anticipated consequences of its use, and the likelihood that such information will be used for injurious purposes). Note that the person making this assessment must also “consult” the privacy officer, so ensure this is built into any processes or policies.
- Prepare a checklist of items that must be included in any required report to the CAI (i.e., (1) company name and contact information; (2) a description of the personal information affected or why such information is not known; (3) a description of the circumstances of the incident; (4) the date or time period when the incident occurred or, if that is not known, the approximate time period; (5) number of persons affected and the number of those who reside in Quebec; (6) a description of the factors that led the organization to conclude there was a risk of serious injury; (7) the measures the organization has taken or intends to take to notify affected persons; (8) the measures the body has taken or intends to take after the incident occurred; and (9) any notifications provided to organizations outside Québec that perform a function similar to the CAI (e.g., data protection authorities).
- Prepare a checklist of items that must be included in any required notices to affected individuals (i.e., (1) a description of the personal information affected or why such information is not known; (2) a description of the circumstances of the incident; (3) the date or time period when the incident occurred or, if that is not known, the approximate time period; (4) a description of the measures the organization has taken or intends to take after the incident occurred in order to reduce the risks of injury; (5) the measures that the organization suggests affected persons take in order to reduce the risk of injury or mitigate any such injury; and (6) the contact information where an affected person can obtain more information.
- Prepare a template register of ALL confidentiality incidents (even if they do not create a risk of serious injury), to ensure incidents are being recorded consistently and with the information required by the draft Regulations (i.e., (1) a description of the personal information affected by the incident or why such information is not known; (2) the circumstances of the incident; (3) the date or period of the incident; (4) date or time period when the organization became aware of the incident; (5) the number of persons affected; (6) a description of the factors that led the organization to conclude there was/was not a risk of serious injury reason; (7) the dates reports to the CAI or notifications to affected individuals or others were sent, and whether the organization issued any public notices and why; and (8) a description of the measures the organizations has taken to reduce the risks of injury.
3. Exceptions to the consent requirement
Two exceptions regarding the requirement to obtain consent come into force.
The first concerns the commercial transaction context where consent will no longer be required as long as a written agreement is in place in which the organization receiving the personal information must undertake to use the information only for the purpose of completing the commercial transaction and to not communicate the information without the individual’s consent unless otherwise authorized by the Act. The receiving organization must also agree to take the necessary measures to ensure the protection of the confidentiality of the information and destroy the information if the commercial transaction is not completed or if its use is no longer necessary.
The second exception is with regard to research or statistical purposes. Bill 64 replaces the current authorization process with a new framework which requires companies to conduct a PIA to determine whether the personal information is needed to achieve the objective and if it is unreasonable to require consent. Furthermore, the PIA must conclude that the objective of the research outweighs the impact on individual privacy and that only necessary information is used in a manner that ensures its confidentiality.
- Amend template agreements to reflect the necessary provisions to allow the organization to proceed with a commercial transaction without having to obtain consent.
4. Registration for biometric information systems
Bill 64 also introduces changes to Québec’s Act to establish a legal framework for information technology (the Québec IT Act) regarding disclosure requirements concerning the use of biometric databases. Previously, organizations were required to notify the CAI of the creation of a “database of biometric characteristics” and obtain the express consent of individuals for the collection of their biometric data.
Bill 64 adds the obligation for organizations to notify the CAI of any use of “biometric systems” for the verification or confirmation of identity, even if no biometric data is stored in a database.
Furthermore, Bill 64 now adds a notification timeline, amending the Québec IT Act to require organizations to notify the CAI of the creation of any biometric data bank no later than 60 days before it is put into service.
Finally, Bill 64 designates biometric information as being sensitive, and organizations should ensure their protections are commensurate with the designation.
- Review planned projects and initiatives to determine if any “biometric systems” will be used
- Update privacy impact assessment (PIA) templates to include questions about whether biometric information will be used, biometric information stored or databases created, or whether biometric systems will be used.
- Review third party vendors/service providers to determine if biometric systems are in use.
- Review processes for handling biometric information.
If you have any questions about changes to privacy law in Québec or anywhere in Canada, please feel free to reach out to a member of Dentons Canada’s Privacy and Cybersecurity Group.
For more information about Dentons’ data expertise and how we can help, please see our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, data mapping and gap analysis, and training in respect of personal information.
The authors would like to thank their co-author, Dan Mackwood, an Articling Student, for his assistance in preparing this article.